Listing Protocol Data Alert Details Searching

Using ACID 193 Figure 6-7 Searching database using ACID. 194 Chapter 6 • Using ACID and SnortSnarf with Snort Figure 6-8 Searching for all alerts that contain “ATTACK RESPONSE” string in the signature. Using ACID 195 Figure 6-9 Result of query used in Figure 6-8. 196 Chapter 6 • Using ACID and SnortSnarf with Snort Figure 6-10 Unique destination addresses for alerts in Snort database. Using ACID 197

6.3.5 Searching whois Databases

To get whois information about a particular address, you can click on any address and select a particular whois database, like American Registry for Internet Numbers ARIN at http:www.arin.net. The response to such a query for IP address 66.236.16.52 is shown in Figure 6-11. This information is very important for incident response. This is usually the first step to finding out the owner of the attacking IP address and hisher contact number. After finding this information, you can contact the owner to stop bad guys from probing your network. Figure 6-11 Response to whois query. 198 Chapter 6 • Using ACID and SnortSnarf with Snort

6.3.6 Generating Graphs

Generating graphs is still experimental in ACID at the time of writing this book. I have included it for the sake of introducing this interesting feature. You can go to the ACID main page where a link is provided to generate graphs. When generating graphs, you can select data and type of graph. For example, you can generate a line or bar graph for alerts in the last five days. Figure 6-12 shows a sample bar graph for the alert data. ACID uses the PHPLOT package on the backend side to generate these graphs. You can also use another package, JPGRAPH in place of PHPLOT. JPGRAPH has a different licensing scheme and there may be some restrictions for using it in commer- cial environment. N O T E The functionality described in this section is just an overview of ACID capabilities. In addition to the tasks presented here, you can also use ACID to archive data, delete data from the database and so on.

6.3.7 Archiving Snort Data

You have created a new database called snort_archive in the previous sec- tions to archive the data from the main Snort database. Using ACID, you can either move alerts from the main database to the archive database or just copy them. For example, if you want to move all alerts from the main database to the archive database, click the number next to “Total Number of Alerts” on the main ACID page. The next page displays all of the alerts in the database. If the number of alerts is more than 50, then only the first 50 alerts are displayed. Now you can use the bottom part of the screen to archive the alerts as shown in Figure 6-13. Note that only the bottom part of the browser window is shown in this figure. If you click the “Entire Query” button in Figure 6-13, all alerts will be moved to the archive database. The result of this action is shown in Figure 6-14. Using ACID 199 Figure 6-12 Graph of alert data. 200 Chapter 6 • Using ACID and SnortSnarf with Snort Figure 6-13 Moving alerts to the archive database. Figure 6-14 Result of moving alert data to archive database. Using ACID 201

6.3.8 ACID Tables

When you start using ACID for the first time, it creates its own tables in the Snort database. These tables are used for housekeeping functions of ACID. For exam- ple, you can create new alert groups called AG in ACID and ACID keeps a record in its own tables. This section shows a list of MySQL database tables before and after configuring ACID. The following is a list of tables as they appear before using ACID for the first time. mysql show tables; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 19 rows in set 0.01 sec mysql The following is a list of tables after the creation of ACID tables in the database. The user name that was used for ACID must have permission to create new tables. Refer to Chapter 5 for information about granting permissions.